[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-users] http server and pbuf overflow
|
From: |
Bernhard 'Gustl' Bauer |
|
Subject: |
Re: [lwip-users] http server and pbuf overflow |
|
Date: |
Thu, 21 Jan 2010 07:20:03 +0100 |
|
User-agent: |
Thunderbird 2.0.0.23 (Windows/20090812) |
Hi,
I checked the memory where pbuf pool is located. On power up it is zero
except for the ->next pointers. Some time later MEM PBUF_POOL used is at
3 (max=5) in spite there is no traffic. So I checked the memory again.
The top 3 pbufs (63, 62, 61) are like this:
->next=0
->tot_len=0
->len=0
->ref=1
pbuf (60) is like this:
->next=&pbuf[58]
->tot_len=0
->len=0
->ref=0
pbuf (59) is like this:
->next=&pbuf[59]
->tot_len=0
->len=0
->ref=0
All pbufs with ref=1 are not freed, all pbufs with ref=0 are freed. Is
this correct?
I crosschecked the pbufs with the attached wireshark file.
pbuf[63] = packet 55
pbuf[62] = packet 128
pbuf[61] = packet 99
In all 3 cases this is a FIN packet from remote after a corrupt
transfer. From the pcap file I can only guess whether ACK (42, 107, 83)
and POST (43, 108, 84) are missed, or passed on to my application.
I checked my http_recv(). I have 3 different exits:
1: pbuf_free(); tcp_abort(); return ERR_ABORT;
2: tcp_receved(); pbuf_free(); tcp_abort(); return ERR_ABORT;
3: tcp_receved(); pbuf_free(); return ERR_OK;
Is there anything wrong with an exit? Do I need tcp_recved() before
tcp_abort(); return ERR_ABORT; ?
Glad for any pointers.
Gustl
debug_20_01_a.pcap
Description: Binary data
debug_20_01_c.pcap
Description: Binary data
Re: [lwip-users] http server and pbuf overflow, Bernhard 'Gustl' Bauer, 2010/01/21
Re: [lwip-users] http server and pbuf overflow, Bernhard 'Gustl' Bauer, 2010/01/27
Re: [lwip-users] http server and pbuf overflow, Bob Brusa, 2010/01/18